My last blog post presented the changes released by the Security and Exchange Commission on July 26, 2023 to their “SEC New Rules on Cybersecurity Risk Management, Strategy, Governance and Incident Disclosure by Public Companies.” These changes are quite impactful to Public Companies and their regulatory reporting concerning cybersecurity and have been welcomed by professional practitioners in the cybersecurity fields. Some of us may wish that the SEC had gone a little further in and with their new rules, but …. progress is progress. If you are a member of a private company breathing a sigh of relief that you are not “required” to make such reporting and disclosures, I would suggest that you take a close look at these new SEC Rules and consider how your Cybersecurity practices compare to these “rules” for public companies. I will be coming back to this topic in future posts to explore some of these new rules in more depth.
In my July 2023 post, I discussed what the World Economic Forum “Global Risks Report 2023” and the “Alliance Risk Barometer 2023” tell us. Both reports can be summed up with the following bullet points:
Cyber Insecurity / cybercrime-triggered Business Interruption is the most feared of all Risks
Cyber Connectedness is Pervasive
Cyber Business Interruptions as a result are Pervasive and Impactful
Some of you may read this and say … “I need a risk report to tell me this? … Duh!” Well, apparently, we do need these reports to provide us with real and in-depth assessments of risk because our industries, economy and personal lives keep being impacted by Cyber Insecurity every day. This fact of life today provides a segue into a brief look into each of us as Risk Managers.
Throughout my career, I have been amazed by the disconnect I have seen and experienced between the way we behave in our personal lives as compared to how we behave in our business lives regarding Risk. I say we, just to generalize, fully realizing that we are not all the same, do not all have the same backgrounds and experiences, and do not all behave the same ways in any aspect of our lives, never mind in our business lives. However, patterns do and have emerged, enough so that I feel comfortable examining Risk Behaviors with you.
Every human being on planet Earth is a Risk Manager
At first glance, this may seem like a very profound assertion on my part!
Let’s explore this. I assert that each of us begins our training as a Risk Manager from the day of our birth. As babies, our parents first protect us from harm, and as children, we begin the lifelong learning process of having our parents and others teaching us about the things that can harm us and training us how to protect ourselves. I am sure we have all been taught to:
- Look both ways before crossing a street.
- Do not go anywhere with strangers.
- Do not stand under or next to trees in a lightning storm.
- Dress warmly in inclement weather.
These are just a small sample of things we learn about as children that can harm us or cause injury.
These are threats to our well-being.
These four threats are very specific. Each of these threats has a specific range of impacts. We can easily be hit by a car when crossing a street and be injured or killed. Some strangers may wish to do us physical harm. Being struck by lightning will cause grievous bodily harm or outright death. We can easily suffer frostbite or hypothermia and potential death if exposed to cold temperatures for an extended period.
The specific actions we have been taught as children to avoid harm are very specific threat avoidance and mitigation actions we can practice.
Every time we check traffic before crossing a street or intersection to determine if we can cross safely, we are evaluating the probability of a potential event, i.e., that we may be struck and injured by a vehicle.
Practicing Risk Management in our personal lives is no different from practicing Risk Management in our business lives and roles! Risk Management entails:
- Acknowledging that Threats Exist
- Determining the probability that a potential Threat will occur.
- Understanding and assessing the potential Impact of a Threat Event if it occurs.
- Ranking or Scoring Threat Risks for their Impacts (I.E., Probability X Impact = Risk Score)
- Implementing Risk Actions / Plans to avoid and/or mitigate the impact of Threat Events.
Effective Risk Management requires both Knowing and Doing
Now, let me circle back to Risk Behaviors. I stated earlier that throughout my career I have been amazed by the disconnect I have seen and experienced between the way we behave in our personal lives as compared to how we behave in our business lives regarding Risk. In our daily lives, we naturally embrace our roles as Risk Managers for our own safety, and the safety of our family members and loved ones. Yet it always seems that as soon as we enter our work environments (in an office place or remotely from home or hotel) we often witness employees, at staff, management, and executive levels, unconsciously ignore or abandon any sense of understanding of Business Risk. Most Risk Event impacts occurring today in business, especially related to Cybersecurity and Cyber Insecurity, occur because individuals did not practice the same level of acceptance and ownership of their roles as Managers of Risk in their business lives as they do every day when they leave their work environments and enter their personal life environments. If we did, no staff member, manager, or executive of a company would ever click on a phishing link, be fooled by social scamming, or not fund mandatory security awareness training and certification for every employee of a company, from bottom to top.
In my next blog post, it is my intention to explore Systemic Risk in Business with you.
Feedback and comments are welcome, as well as any specific Cybersecurity or Cyber Insecurity topic you might want me to comment upon.
Joseph F. Norton is a Risk, Security, and Crisis Management professional.
He is a founding member and Qualified Technology Executive of the Digital Directors Network, Chair of the Advisory Board with Next Era Transformation Group, and Chief Security Officer with APF Technologies.
He has served as Chief Security Officer, SVP at Atos, Chief Technology Officer and Head of Operations, SVP at Philips, Chief Technology Officer, SVP at Novartis, Executive-in-Residence with McKinsey & Company, and Chief Technology Officer at McDonald’s. He has also held professional roles during his career with JPMorgan Bank, Oracle, Sybase and Grumman Aerospace Corporation, and the United States Navy.
DISCLAIMER
Copyright ©2023 by DivIHN Integration Inc. | [email protected].